12.4.Provisioning settings
The provisioning job
- Creates and updates contentACCESS users and assigns contentACCESS roles to them based on information gathered from SharePoint
In contentACCESS, a provisioning job is created automatically when activating SharePoint archive for the first time.
The process is similar for on-premises SharePoint and SharePoint online. The differences are as follows:
On-premises SharePoint
- Scans SharePoint groups and users, then they are snapshotted in the SharePoint archive database
- Picks users with Windows login and creates these users in contentACCESS (see more in SharePoint Archive settings, section System settings) together with Windows login
- Grants permissions to access the given SharePoint connection (archive only)
The on-premises SharePoint is working with the Active Directory and using its users and groups to grant them access to sites, folders and items.
SharePoint defines SharePoint groups, which is a collection for AD users, AD groups and other users (Azure, etc.).
The provisioning job also collects information about AD groups and their members. This is important when permissions are evaluated, because they are configured through AD groups.
Snapshot means that a copy of the user/group is created in the archive which remains even after the user or group is deleted from SharePoint. This allows to use the last known permissions for the user when working with the archive.
At the end of the provisioning job, the archive has collected the following information:
- Collected all AD groups which are somehow related to SharePoint
- Collected all AD users which are somehow related to SharePoint
- Collected AD group memberships
- Collected SharePoint groups for the given root site connection
- Collected members of the SharePoint groups
To access the folders and documents the user requires individual permissions which is synchronized by the SharePoint archive job.
SharePoint online
The users and SharePoint groups from Office 365 are also synchronized by the provisioning job.
Azure users, together with Azure logins, are also created automatically by the provisioning job.
SharePoint Archive provisioning settings are available on the Provisioning settings page (SharePoint Archive ⇒ Settings ⇒ Provisioning settings):
The status bar of the provisioning job offers the following options:
If a scheduler has not been selected, the provisioning job can be started/stopped manually with the “start immediately/stop” control button. For manual refresh of provisioning progress information, click on “refresh” button. To enable/disable auto refresh in every 5 seconds, click on “enable auto refresh”/“disable auto refresh” button. The provisioning job can be also deactivated with the “deactivate job” button. A deactivated job will not start neither automatically, nor can be started manually. The “edit” button is used to select the node, where provisioning job will be run. The user may also rename the provisioning job here. To view further event details of provisioning job (and also to detect any potential failures/errors in the provisioning events) click on “logs” button. This will redirect you to the monitoring page, where the last run of the provisioning job will be preselected, and the last events will be shown in the events table.
The following configuration sections are available on the Provisioning settings page:
- Role to assign: This configuration section allows to assign default contentWEB user roles. It is recommended to specify here a default role with less contentWEB permissions. The roles to be assigned must be created on the Roles page.
Note: Roles containing Manage system and/or Manage tenant permissions are unavailable in the default roles’ dropdown list.
- Scheduling settings: Select the running times of the provisioning job or create a new scheduler. For more information how to configure scheduler settings please refer to section Schedules.
- Notification settings: If the provisioning job could not run properly due to some reasons, contentACCESS can send a warning about the problem. The notification email message will be sent to the email address that is set here under Recipient list option. Here you can also choose, when these email messages should be sent: only if errors occur, or when errors or warnings occur, or always, regardless of the faultless running of the provisioning job.